Loading ...

Play interactive tourEdit tour

Analysis Report Y88576645635_03112021.PDF.exe

Overview

General Information

Sample Name:Y88576645635_03112021.PDF.exe
Analysis ID:367711
MD5:4f0fdcac715b3d952ffab9e7d3ee86ac
SHA1:1079108984d0587302e2576c6e72c18a1021154b
SHA256:047d3bebe340180add07832e734233f7aa762de34f1eca2b5059d48a2daca6bc
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected HawkEye Rat
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses FTP
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Y88576645635_03112021.PDF.exe (PID: 7100 cmdline: 'C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe' MD5: 4F0FDCAC715B3D952FFAB9E7D3EE86AC)
    • Y88576645635_03112021.PDF.exe (PID: 6596 cmdline: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe MD5: 4F0FDCAC715B3D952FFAB9E7D3EE86AC)
      • Y88576645635_03112021.PDF.exe (PID: 6316 cmdline: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe MD5: 4F0FDCAC715B3D952FFAB9E7D3EE86AC)
        • vbc.exe (PID: 6896 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • vbc.exe (PID: 6880 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.659715727.0000000002F91000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000006.00000002.908387169.0000000008090000.00000004.00000001.sdmpHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
    • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
    00000006.00000002.902253239.0000000000402000.00000040.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
    • 0x7b719:$key: HawkEyeKeylogger
    • 0x7d917:$salt: 099u787978786
    • 0x7bd32:$string1: HawkEye_Keylogger
    • 0x7cb85:$string1: HawkEye_Keylogger
    • 0x7d877:$string1: HawkEye_Keylogger
    • 0x7c11b:$string2: holdermail.txt
    • 0x7c13b:$string2: holdermail.txt
    • 0x7c05d:$string3: wallet.dat
    • 0x7c075:$string3: wallet.dat
    • 0x7c08b:$string3: wallet.dat
    • 0x7d459:$string4: Keylog Records
    • 0x7d771:$string4: Keylog Records
    • 0x7d96f:$string5: do not script -->
    • 0x7b701:$string6: \pidloc.txt
    • 0x7b767:$string7: BSPLIT
    • 0x7b777:$string7: BSPLIT
    00000006.00000002.902253239.0000000000402000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      00000006.00000002.902253239.0000000000402000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
        Click to see the 22 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        6.2.Y88576645635_03112021.PDF.exe.39b1b50.8.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          6.2.Y88576645635_03112021.PDF.exe.8090000.11.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
          • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
          6.2.Y88576645635_03112021.PDF.exe.81f0000.12.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
          • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
          10.2.vbc.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            11.2.vbc.exe.400000.0.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              Click to see the 59 entries

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Suspicious Double ExtensionShow sources
              Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe, CommandLine: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe, NewProcessName: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe, OriginalFileName: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe, ParentCommandLine: 'C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe' , ParentImage: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe, ParentProcessId: 7100, ProcessCommandLine: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe, ProcessId: 244

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: Y88576645635_03112021.PDF.exeAvira: detected
              Found malware configurationShow sources
              Source: vbc.exe.6880.11.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView"], "Version": ""}
              Multi AV Scanner detection for submitted fileShow sources
              Source: Y88576645635_03112021.PDF.exeReversingLabs: Detection: 21%
              Machine Learning detection for sampleShow sources
              Source: Y88576645635_03112021.PDF.exeJoe Sandbox ML: detected
              Source: 6.2.Y88576645635_03112021.PDF.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 6.2.Y88576645635_03112021.PDF.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 4.2.Y88576645635_03112021.PDF.exe.4455010.6.unpackAvira: Label: TR/Inject.vcoldi

              Compliance:

              barindex
              Detected unpacking (overwrites its own PE header)Show sources
              Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exeUnpacked PE file: 0.2.Y88576645635_03112021.PDF.exe.610000.0.unpack
              Source: Y88576645635_03112021.PDF.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: Y88576645635_03112021.PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Y88576645635_03112021.PDF.exe, 00000006.00000002.902253239.0000000000402000.00000040.00000001.sdmp
              Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Y88576645635_03112021.PDF.exe, 00000006.00000002.902253239.0000000000402000.00000040.00000001.sdmp, vbc.exe
              Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Y88576645635_03112021.PDF.exe, 00000006.00000002.902253239.0000000000402000.00000040.00000001.sdmp, vbc.exe
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.902253239.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.902253239.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,10_2_00406EC3
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,11_2_00408441
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,11_2_00407E0E
              Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_077DFEE3
              Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_07E00326
              Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_07E0018F

              Networking:

              barindex
              Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
              Source: TrafficSnort IDS: 2020410 ET TROJAN HawkEye Keylogger FTP 192.168.2.4:49749 -> 103.27.200.199:21
              Source: global trafficTCP traffic: 192.168.2.4:49750 -> 103.27.200.199:35996
              Source: Joe Sandbox ViewIP Address: 103.27.200.199 103.27.200.199
              Source: Joe Sandbox ViewASN Name: BANGMODENTERPRISE-THBangmodEnterpriseCoLtdTH BANGMODENTERPRISE-THBangmodEnterpriseCoLtdTH
              Source: unknownFTP traffic detected: 103.27.200.199:21 -> 192.168.2.4:49749 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 08:08. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 08:08. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 08:08. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 08:08. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.902253239.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000000B.00000002.699152607.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.902253239.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000000B.00000002.699152607.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: vbc.exe, 0000000B.00000003.699009463.000000000096E000.00000004.00000001.sdmpString found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.facebook.com (Facebook)
              Source: vbc.exe, 0000000B.00000003.699009463.000000000096E000.00000004.00000001.sdmpString found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.yahoo.com (Yahoo)
              Source: unknownDNS traffic detected: queries for: 84.102.13.0.in-addr.arpa
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.902253239.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.903800843.0000000002BBE000.00000004.00000001.sdmpString found in binary or memory: http://ftp.triplelink.co.th
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.902253239.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: Y88576645635_03112021.PDF.exe, 00000000.00000002.650605072.0000000002B31000.00000004.00000001.sdmp, Y88576645635_03112021.PDF.exe, 00000004.00000002.659715727.0000000002F91000.00000004.00000001.sdmp, Y88576645635_03112021.PDF.exe, 00000006.00000002.903358748.0000000002991000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: Y88576645635_03112021.PDF.exe, 00000004.00000002.658406658.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://tempuri.org/XXXXXXXXXXXXXXXXXXXXXXX.xsd
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.902253239.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.678715082.0000000005B48000.00000004.00000001.sdmpString found in binary or memory: http://www.agfamonotype.L
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.663167419.0000000005B45000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.663058162.0000000005B48000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com#
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmp, Y88576645635_03112021.PDF.exe, 00000006.00000002.903096798.0000000001177000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.666502735.0000000005B45000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.669031244.0000000005B48000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.668835911.0000000005B48000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlx
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.667638331.0000000005B47000.00000004.00000001.sdmp, Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.903096798.0000000001177000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.com2
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.903096798.0000000001177000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comgrita
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.903096798.0000000001177000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comionm
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.662492268.0000000005B4E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.cg
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.662492268.0000000005B4E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.c
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.662444137.0000000005B4E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.662579211.0000000005B45000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.662444137.0000000005B4E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn4
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.662444137.0000000005B4E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cne-d0
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.662444137.0000000005B4E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnp
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.675783220.0000000005B48000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.675783220.0000000005B48000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/%
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.662151861.0000000005B4E000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr-es_
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.662151861.0000000005B4E000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr-u
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: vbc.exe, vbc.exe, 0000000B.00000002.699152607.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.662151861.0000000005B4E000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.662151861.0000000005B4E000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krnotm
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.662151861.0000000005B4E000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krt
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.903358748.0000000002991000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.669939773.0000000005B48000.00000004.00000001.sdmp, Y88576645635_03112021.PDF.exe, 00000006.00000003.669797236.0000000005B48000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.666196255.0000000005B45000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de6
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.669858103.0000000005B48000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deF
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.666502735.0000000005B45000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deasu
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.666257144.0000000005B45000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deic
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.662850878.0000000005B48000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnK
              Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: Y88576645635_03112021.PDF.exe, 00000000.00000002.650605072.0000000002B31000.00000004.00000001.sdmp, Y88576645635_03112021.PDF.exe, 00000004.00000002.659715727.0000000002F91000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
              Source: vbc.exe, 0000000B.00000003.699009463.000000000096E000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4
              Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Yara detected HawkEye KeyloggerShow sources
              Source: Yara matchFile source: 00000006.00000002.902253239.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.903358748.0000000002991000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.661841679.0000000003F99000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Y88576645635_03112021.PDF.exe PID: 6316, type: MEMORY
              Source: Yara matchFile source: 6.2.Y88576645635_03112021.PDF.exe.45fa72.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.Y88576645635_03112021.PDF.exe.408208.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.Y88576645635_03112021.PDF.exe.4455010.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.Y88576645635_03112021.PDF.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.Y88576645635_03112021.PDF.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.Y88576645635_03112021.PDF.exe.4290590.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.Y88576645635_03112021.PDF.exe.4455010.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.Y88576645635_03112021.PDF.exe.4054130.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.Y88576645635_03112021.PDF.exe.29bb2fc.5.raw.unpack, type: UNPACKEDPE
              Contains functionality to log keystrokes (.Net Source)Show sources
              Source: 6.2.Y88576645635_03112021.PDF.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 10_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,10_2_0040AC8A
              Source: Y88576645635_03112021.PDF.exe, 00000000.00000002.650126431.0000000000F98000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 00000006.00000002.902253239.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000006.00000002.902253239.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000006.00000002.903358748.0000000002991000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000004.00000002.661841679.0000000003F99000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000004.00000002.661841679.0000000003F99000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 6.2.Y88576645635_03112021.PDF.exe.45fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 6.2.Y88576645635_03112021.PDF.exe.45fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 6.2.Y88576645635_03112021.PDF.exe.408208.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 6.2.Y88576645635_03112021.PDF.exe.408208.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 4.2.Y88576645635_03112021.PDF.exe.4455010.6.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 4.2.Y88576645635_03112021.PDF.exe.4455010.6.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 6.2.Y88576645635_03112021.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 6.2.Y88576645635_03112021.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 6.2.Y88576645635_03112021.PDF.exe.409c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 6.2.Y88576645635_03112021.PDF.exe.409c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 4.2.Y88576645635_03112021.PDF.exe.4290590.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 4.2.Y88576645635_03112021.PDF.exe.4290590.4.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 4.2.Y88576645635_03112021.PDF.exe.4455010.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 4.2.Y88576645635_03112021.PDF.exe.4455010.6.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 4.2.Y88576645635_03112021.PDF.exe.4054130.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 4.2.Y88576645635_03112021.PDF.exe.4054130.5.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 6.2.Y88576645635_03112021.PDF.exe.29bb2fc.5.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Initial sample is a PE file and has a suspicious nameShow sources
              Source: initial sampleStatic PE information: Filename: Y88576645635_03112021.PDF.exe
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 11_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,11_2_00408836
              Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exeCode function: 0_2_00F821F00_2_00F821F0
              Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exeCode function: 0_2_00F8E6300_2_00F8E630
              Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exeCode function: 0_2_00F817900_2_00F81790
              Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exeCode function: 0_2_00F80FE80_2_00F80FE8
              Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exeCode function: 0_2_00F851280_2_00F85128
              Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exeCode function: 0_2_00F851180_2_00F85118
              Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exeCode function: 0_2_00F804710_2_00F80471
              Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exeCode function: 0_2_00F855510_2_00F85551
              Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exeCode function: 0_2_00F857680_2_00F85768
              Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exeCode function: 0_2_00F81C700_2_00F81C70
              Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exeCode function: 0_2_00F83FA80_2_00F83FA8
              Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exeCode function: 0_2_00F83F980_2_00F83F98
              Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exeCode function: 0_2_00F80F410_2_00F80F41
              Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exeCode function: 0_2_0294D7C80_2_0294D7C8
              Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exeCode function: 0_2_029417500_2_02941750
              Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exeCode function: 0_2_0294A7480_2_0294A748
              Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exeCode function: 0_2_029424A00_2_029424A0
              Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exeCode function: 0_2_0294FD180_2_0294FD18
              Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exeCode function: 0_2_029445110_2_02944511
              Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exeCode function: 0_2_029445200_2_02944520
              Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exeCode